Back to Home

Privacy Policy

Last updated:

Introduction

Shiplist (referred to as "we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our product roadmap management platform at shiplist.app (the "Service").

We are committed to compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Contact Information:

  • Operator: Maria Saggese
  • Address: Via Giacomo Brodolini 14
  • Email: info@shiplist.app
  • Data Protection Officer: Maria Saggese (info@shiplist.app)

    • This Privacy Policy applies to all users of the Service, including free and paid subscribers. By using Shiplist, you agree to the collection and use of information in accordance with this policy.

    Information We Collect

    We collect various types of information to provide and improve our Service. This includes information you provide directly, information collected automatically, and information from third parties.

    Account Information

    When you create an account, we collect:

  • Email address (required for authentication and communication)
  • Display name (optional, user-provided)
  • Avatar URL (optional, user-provided)
  • Password (stored as a secure hash, never in plain text)
  • Organization membership (if you join or create an organization)
  • Account creation date

    • Product Usage Data

    When you use our Service, we collect:

  • Roadmaps: titles, descriptions, visibility settings, creation dates
  • Features/Items: titles, descriptions, statuses, progress indicators, categories, tags
  • Ideas: user-submitted feedback, descriptions, categories, votes
  • Comments: discussions and feedback on ideas and announcements
  • Votes: anonymous voting data via browser fingerprints (not linked to user accounts)
  • Announcements: product updates and news you create
  • Analytics: usage patterns, feature adoption, engagement metrics

    • Payment Information

    For paid subscriptions, we collect:

  • Stripe Customer ID (unique identifier for your payment account)
  • Subscription plan and status (Free, Pro, or Team)
  • Billing information (stored and processed by Stripe, not by us directly)

    • We do not store credit card numbers or full payment details on our servers. All payment processing is handled securely by Stripe.

    Technical Data

    We automatically collect technical information:

  • Browser fingerprint (for anonymous voting and fraud prevention)
  • IP address (for security, rate limiting, and fraud prevention)
  • Device information (browser type, operating system, device type)
  • Usage analytics (via Umami Analytics, when consented - privacy-friendly, no personal data)
  • Session data (authentication tokens, session IDs)
  • Performance metrics (page load times, errors, crashes)

    • Cookies and Similar Technologies

    We use cookies and similar tracking technologies:

  • Essential cookies: Required for authentication and security (always active)
  • Session cookies: Maintain your logged-in session
  • Preference cookies: Remember your theme (dark/light mode) and language preferences
  • Analytics cookies: Track usage patterns (optional, requires your consent)

    • For detailed information about our cookie usage, please see our Cookie Policy.

    How We Use Your Information

    We use your personal data for the following purposes, based on legal grounds including contractual necessity, legitimate interests, and consent:

    Provide and Maintain the Service

  • Create and manage your account
  • Enable you to create and manage roadmaps, ideas, and announcements
  • Process and display votes and feedback
  • Synchronize data across devices
  • Provide customer support

    • Legal basis: Performance of contract

    Process Payments

  • Handle subscription payments via Stripe
  • Manage billing and invoices
  • Detect and prevent payment fraud

    • Legal basis: Performance of contract, legitimate interests (fraud prevention)

    Communications

  • Send account-related notifications (password resets, security alerts)
  • Notify you of activity on your roadmaps (new votes, comments, ideas)
  • Send product updates and feature announcements (can be disabled in settings)
  • Respond to your support inquiries

    • Legal basis: Performance of contract, legitimate interests (customer communication)

    AI-Powered Features

  • Automatic categorization of ideas and feedback
  • Sentiment analysis of user feedback
  • Duplicate detection for ideas
  • Smart prioritization recommendations
  • Content generation assistance
  • Trend detection and analysis

    • Data is sent to OpenAI for processing but is not used for training their models. See "Third-Party Services" section for details.

    Legal basis: Performance of contract, legitimate interests (product improvement)

    Analytics and Improvement

  • Understand how users interact with our Service
  • Identify bugs and performance issues
  • Develop new features based on usage patterns
  • Improve user experience and interface design

    • Legal basis: Legitimate interests (product improvement), consent (for analytics cookies)

    Security and Fraud Prevention

  • Detect and prevent fraudulent activity
  • Identify and block malicious users
  • Rate limiting and spam prevention
  • Security monitoring and incident response

    • Legal basis: Legitimate interests (security), legal obligation

    Data Sharing and Third-Party Services

    We share your data with trusted third-party service providers who assist us in operating our Service. We do not sell your personal data to third parties.

    Service Providers

    Firebase (Google Cloud Platform)

  • Purpose: Hosting, authentication, database, analytics
  • Data shared: All user data and content
  • Location: EU and US data centers
  • Privacy Policy: https://firebase.google.com/support/privacy

    • Stripe

  • Purpose: Payment processing
  • Data shared: Email, name, payment information, subscription data
  • Location: Global
  • Privacy Policy: https://stripe.com/privacy

    • OpenAI

  • Purpose: AI features (categorization, sentiment analysis, content generation)
  • Data shared: Idea titles, descriptions, feedback content (ephemeral, not retained)
  • Location: US
  • Privacy Policy: https://openai.com/privacy
  • Note: Your data is processed but not used to train OpenAI models

    • Resend

  • Purpose: Transactional email delivery
  • Data shared: Email address, display name, email content
  • Location: US
  • Privacy Policy: https://resend.com/privacy

    • What We DO NOT Do

    We explicitly do not:

  • Sell your personal data to advertisers or data brokers
  • Share data for advertising purposes outside of our Service
  • Use your content to train AI models without explicit consent
  • Provide data to third parties except as described in this policy
  • Track you across other websites (no cross-site tracking)

    • Your Rights Under GDPR

    If you are located in the European Economic Area (EEA), UK, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR). We are committed to facilitating the exercise of these rights.

    Right to Access (Article 15)

    You have the right to:

  • Request access to your personal data
  • Receive a copy of your data
  • Understand how we process your data

    • How to exercise: Go to Settings > Privacy > Download Your Data to export all your data in JSON format.

    Right to Rectification (Article 16)

    You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete data

    • How to exercise: Go to Settings > Account to update your display name and other account information. For email changes, contact us at info@shiplist.app.

    Right to Erasure / "Right to be Forgotten" (Article 17)

    You have the right to:

  • Request deletion of your personal data
  • Have your data removed from our systems

    • How to exercise: Go to Settings > Danger Zone > Delete My Account. This will permanently delete all your data.

    Important notes:

  • Account deletion is permanent and cannot be undone
  • Some data may be retained for legal compliance (e.g., payment records for tax purposes: 7 years)
  • Backup data is retained for 30 days, then permanently deleted
  • You must cancel any active subscriptions before deleting your account

    • Right to Data Portability (Article 20)

    You have the right to:

  • Receive your data in a structured, machine-readable format (JSON)
  • Transfer your data to another service

    • How to exercise: Go to Settings > Privacy > Download Your Data. You will receive a JSON file containing:

  • Your account information
  • All roadmaps, features, and items
  • All ideas and feedback
  • All comments and announcements
  • Privacy settings and preferences
  • Aggregated vote counts

    • Right to Object (Article 21)

    You have the right to:

  • Object to processing based on legitimate interests
  • Opt out of analytics and marketing communications

    • How to exercise:

  • Analytics: Go to Settings > Privacy to disable analytics cookies
  • Email notifications: Go to Settings > Notifications to manage preferences
  • Marketing: Unsubscribe via links in emails or contact info@shiplist.app

    • Right to Restrict Processing (Article 18)

    You have the right to:

  • Request limitation of data processing in certain circumstances
  • Suspend processing while verifying accuracy of data

    • How to exercise: Contact us at info@shiplist.app with your specific request.

    How to Exercise Your Rights

    Self-Service (Recommended):

    Most rights can be exercised directly through your account:

  • Settings > Account: Update personal information
  • Settings > Privacy: Manage cookie consent, download data
  • Settings > Notifications: Manage email preferences
  • Settings > Danger Zone: Delete your account

    • Contact Us:

    For rights that cannot be exercised via settings:

  • Email: info@shiplist.app
  • Subject line: "GDPR Data Request"
  • Include: Your account email, specific request, and any relevant details

    • Response Time: We will respond within 30 days of receiving your request, as required by GDPR. If your request is complex, we may extend this by an additional 60 days and will notify you.

    Verification: We may request additional information to verify your identity before processing requests.

    Right to Lodge a Complaint

    You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

    EU/EEA: Contact your local Data Protection Authority

    UK: Information Commissioner's Office (ICO) - https://ico.org.uk

    We encourage you to contact us first at info@shiplist.app so we can address your concerns directly.

    Data Security

    We implement industry-standard security measures to protect your data from unauthorized access, alteration, disclosure, or destruction.

    Technical Security Measures

    Encryption:

  • In transit: All data transmitted via HTTPS/TLS 1.3
  • At rest: Data encrypted in Firebase Cloud Firestore

    • Security Headers:

  • HTTP Strict Transport Security (HSTS)
  • X-Frame-Options (prevents clickjacking)
  • X-Content-Type-Options (prevents MIME sniffing)
  • Content Security Policy (CSP)
  • X-XSS-Protection

    • Application Security:

  • HTML sanitization (DOMPurify) to prevent XSS attacks
  • Rate limiting to prevent abuse
  • CSRF protection
  • SQL injection prevention (parameterized queries)
  • Regular security audits and vulnerability scanning

    • Authentication & Access Control

  • Passwords hashed with industry-standard algorithms (never stored in plain text)
  • Firebase Authentication for secure session management
  • Role-based access control (RBAC)
  • Automatic session timeout after inactivity
  • Protection against brute-force attacks
  • Future: Two-factor authentication (2FA) support

    • Organizational Security

  • Limited employee access to user data (need-to-know basis)
  • Security training for all team members
  • Incident response plan
  • Regular backups (encrypted and stored securely)
  • Data retention and deletion policies

    • Data Breach Notification

    In the event of a data breach that affects your personal data:

  • We will notify you within 72 hours of becoming aware of the breach (GDPR requirement)
  • We will notify relevant supervisory authorities as required by law
  • The notification will include the nature of the breach, potential consequences, and measures taken
  • We will provide guidance on steps you can take to protect yourself

    • Cookies and Tracking

    For detailed information about our cookie usage, please see our Cookie Policy.

    Summary:

  • Essential cookies: Required for authentication and security (always active)
  • Preference cookies: Remember your theme and settings (always active)
  • Analytics cookies: Track usage patterns (optional, requires your consent)

    • Managing Cookies:

  • Cookie consent banner: Appears on first visit
  • Settings > Privacy: Manage cookie preferences
  • Browser settings: Block or delete cookies (may affect functionality)
  • Do Not Track: We respect DNT browser signals

    • Data Retention

    We retain your data for as long as necessary to provide the Service and comply with legal obligations.

    Active Accounts

  • User data: Retained while your account is active
  • Roadmaps and content: Retained indefinitely until you delete them
  • Analytics data: Aggregated and anonymized, retained indefinitely
  • Session data: Automatically deleted after 30 days of inactivity

    • Deleted Accounts

  • Immediate deletion: User data, roadmaps, ideas, comments, announcements
  • Backup retention: Deleted data may remain in backups for up to 30 days, then permanently deleted
  • Legal retention: Payment records retained for 7 years for tax and legal compliance
  • Anonymized data: Aggregated, anonymized analytics may be retained indefinitely

    • Inactive Accounts

  • We do not automatically delete inactive accounts
  • You can delete your account at any time via Settings > Danger Zone
  • If you wish to delete an inactive account, contact info@shiplist.app

    • Children's Privacy

    Shiplist is not intended for use by children under the age of 16.

  • We do not knowingly collect personal data from children under 16
  • If we discover that a child under 16 has provided personal data, we will delete it immediately
  • Parents or guardians who believe their child has provided data should contact us at info@shiplist.app

    • By using the Service, you represent that you are at least 16 years old.

    International Data Transfers

    Shiplist is hosted on Firebase (Google Cloud Platform), which operates data centers globally.

    Data Storage Locations:

  • Primary: EU data centers (for EU users)
  • Secondary: US data centers

    • GDPR Compliance:

  • Data transfers comply with GDPR Chapter V
  • Google Cloud (Firebase) uses Standard Contractual Clauses (SCCs) approved by the European Commission
  • Additional safeguards: Encryption, access controls, data minimization

    • Third-Party Services:

  • Stripe: Global payment processing with GDPR compliance
  • OpenAI: US-based, data processed ephemerally (not retained)
  • Resend: US-based email delivery

    • For more information on international transfers, contact info@shiplist.app.

    AI Processing and Third-Party AI Services

    We use OpenAI's API for AI-powered features. Here's what you need to know:

    AI Features

  • Categorization: Automatic organization of ideas and feedback
  • Sentiment Analysis: Understanding user sentiment in feedback
  • Duplicate Detection: Identifying similar ideas
  • Content Generation: Writing assistance for announcements and descriptions
  • Prioritization: Smart recommendations for feature prioritization
  • Trend Detection: Identifying patterns in user feedback

    • Data Sent to OpenAI

    When using AI features, we send:

  • Idea titles and descriptions
  • Feedback content
  • User-submitted text content

    • We do NOT send:

  • Email addresses
  • Passwords
  • Payment information
  • Personal identifiable information (PII)

    • OpenAI Data Handling

    According to OpenAI's API data handling policies:

  • Data sent via API is NOT used to train models
  • Data is processed ephemerally (temporarily, not stored long-term)
  • Data is not shared with third parties beyond OpenAI's operations
  • Data is deleted after processing (typically within 30 days)

    • For the most up-to-date information, see OpenAI's Privacy Policy: https://openai.com/privacy

    Opting Out of AI Features

    Currently, AI features are integral to certain Service functionalities. If you have concerns about AI processing:

  • Avoid using AI-powered features (categorization, sentiment analysis, etc.)
  • Contact us at info@shiplist.app to discuss alternatives

    • We are exploring options for opt-out controls in future updates.

    California Privacy Rights (CCPA)

    If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA).

    Your CCPA Rights

    Right to Know: Request disclosure of personal data collected (equivalent to GDPR Right to Access)

    Right to Delete: Request deletion of your personal data (equivalent to GDPR Right to Erasure)

    Right to Opt-Out: Opt out of the "sale" of personal data - We do NOT sell your personal data

    Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

    How to Exercise CCPA Rights

    The processes described in the "Your Rights Under GDPR" section also apply to CCPA rights:

  • Data export: Settings > Privacy > Download Your Data
  • Account deletion: Settings > Danger Zone > Delete My Account
  • Contact us: info@shiplist.app

    • We will verify your identity and respond within 45 days (as required by CCPA).

    Do Not Sell My Personal Information

    We do NOT sell your personal information.

    Shiplist does not sell, rent, or trade personal data to third parties for monetary or other valuable consideration. We only share data with service providers as described in this Privacy Policy.

    Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features.

    Notification of Changes:

  • Material changes: We will notify you via email and/or prominent notice on the Service at least 30 days before changes take effect
  • Minor changes: Updated "Last Updated" date at the top of this policy
  • Continued use: Your continued use of the Service after changes constitutes acceptance of the updated policy

    • Objecting to Changes:

    If you do not agree with changes to this Privacy Policy, you may:

  • Stop using the Service
  • Delete your account (Settings > Danger Zone)
  • Contact us at info@shiplist.app to discuss concerns

    • Version History:

    Previous versions of this Privacy Policy are available upon request.

    Governing Law and Jurisdiction

    This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of Italy.

    Jurisdiction:

    Any disputes relating to this Privacy Policy or our data processing practices shall be subject to the exclusive jurisdiction of the competent courts of Italy.

    EU Users:

    Nothing in this section affects your rights as a data subject under the GDPR, including your right to lodge a complaint with your local supervisory authority.

    International Users:

    If you are accessing the Service from outside Italy, please be aware that your information may be transferred to, stored, and processed in Italy and other countries where our service providers operate.

    Contact Us

    If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

    Email: info@shiplist.app

    Subject line: "Privacy Policy Inquiry"

    Mailing Address:

    Maria Saggese

    Via Giacomo Brodolini 14

    Italia

    Data Protection Officer:

    Maria Saggese

    info@shiplist.app

    Response Time: We aim to respond to all inquiries within 5 business days. For GDPR/CCPA data requests, we will respond within the legally required timeframes (30 days for GDPR, 45 days for CCPA).

    Supervisory Authority (EU/EEA users):

    If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. A list of authorities can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en